Schneider Electric IIoT security flaw opens the door to hackers

Security researchers have discovered a vulnerability in Schneider Electric’s industrial controller software that could allow hackers to take over industrial networks.

According to cyber-security firm Indegy, the Industrial Internet of Things (IIoT) security scare could allow hackers to take control of industrial equipment.

“The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges,” said Indegy researchers Mille Gandelsman and Avihay Kain in a blog post.

“The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations.”

The researchers added that this makes the attack relevant across virtually any process controlled by these PLCs. “Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”

Gandelsman, who is CTO of Indegy, told IT security publication Threatpost, that an attacker could would have access via the flaw to valves, turbines, centrifuges and smart meters.

“With this type of access, an attacker can use it to change the recipe to drugs being manufactured by industrial control systems or turn off the power grid of a city,” he told the publication.

Patch available

Tim Erlin, senior director of Product Management at Tripwire told Internet of Business that the bad news is that this vulnerability is serious.

“The good news is that there are several steps control systems operators can take to address it, including a patch available from the vendor,” he said.

“Control systems and their components should never be accessible directly from the Internet. While that may seem obvious to many people that control systems shouldn’t be directly accessible from the Internet, it’s also a fact that many of these systems are.

“In cases where a system can’t be patched or otherwise protected, Schneider customers should be diligently monitoring for any hint of exploit activity.”